Threats Tagged 't1018'

An exposed attacker server has unveiled FortiBleed, a large-scale credential-compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways globally. This operation involved credential harvesting through reuse, brute force, and hash cracking using a distributed GPU infrastructure with approximately 36 rented GPUs via Hashtopolis. The exposed directory contained 319 files revealing scanning tools, cracking infrastructure, credential databases, post-exploitation toolkits, and active VPN configurations. While initially reported as affecting 21,632 domains, analysis of the attacker's own tooling reveals only 918 organizations showed evidence of internal network compromise, with merely 148 confirmed cases where credentials were fully cracked. The operation ultimately aimed to sell initial access to compromised networks, with victims spanning 194 countries, predominantly India, United States, and Taiwan.

MediumCampaignUnited StatesBritish Indian Ocean TerritoryColombia+3#vpn compromise#hash cracking#fortibleed

A sophisticated phishing campaign exploits Amazon's brand reputation through spoofed security alerts to deliver HarborWatch Agent, a custom remote access trojan. The attack chain begins with emails impersonating Amazon security notifications about suspicious account activity, directing victims to lookalike domains. Users are presented with fake CAPTCHA verification pages that employ ClickFix social engineering techniques, instructing them to execute PowerShell commands on their own systems. The multi-stage infection downloads mysql.exe from compromised infrastructure, which communicates with a Chinese-language command and control panel branded Harbor Sentinel. The RAT collects extensive system information including OS details, architecture, CPU count, disk usage, memory status, and network configurations, exfiltrating data through API endpoints to the threat actor's monitoring infrastructure.

The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitioning to RaaS by September 2025, the operation recently partnered with BreachForums to recruit affiliates including penetration testers and initial access brokers. Written in Go and obfuscated with Garble, the ransomware employs double extortion tactics, encrypting data while exfiltrating sensitive information. It utilizes 21 distinct lateral movement techniques per target host, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting. The malware disables defenses, deletes shadow copies and forensic artifacts, and can optionally wipe free disk space to prevent recovery, impacting organizations globally across education, transportation, healthcare, and finance sectors.